On Tue, 2021-12-28 at 19:46 +0100, max wrote:
> Debian's security updates are created by volunteers working in their
> spare time. Some packages may receive more attention than others. To
> view the current list of known unfixed vulnerabilities see
> https://security-tracker.debian.org/tracker/status/release/stable
This isn't entirely factual either. The LTS team is mostly composed of
people being paid to contribute, with some volunteers. Some of the
stable security team may also be paid, but there isn't any public
information about who is paid and who they work for.
https://wiki.debian.org/LTS/Team
https://wiki.debian.org/LTS/Funding
I suggest contacting the stable and LTS security teams to draft a
statement that best represents the current and future reality of Debian
security updates.
https://www.debian.org/security/faq#contact
https://wiki.debian.org/LTS#Get_in_contact
https://wiki.debian.org/LTS/Contact
> (Side note: It seems that NVD tends to assign "medium" severity to
> vulnerabilities initially, but upgrades them to "high" or "critical"
> later. However, Debian keeps showing the initial severity rating)
Please send a patch, issue or mail about that separately.
--
bye,
pabs
https://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
